T6 adapter registers its capabilities with the Crypto API framework for the supported crypto protocols, leverages all benefits provided by the host operating system and enables the offloading of crypto operations on to the adapter.

Lower CAPEX and OPEX: By offloading cryptographic functions to the T6 NIC rather than investing in a more powerful processor with crypto capabilities, and capabilities to process cryptographic functions along with regular network traffic concurrently, while leveraging standard Ethernet infrastructure, Chelsio’s solution is uniquely positioned to keep CAPEX and OPEX low.

No third party software development required to enable encryption if application has built in TLS/SSL, DTLS, and IPsec crypto mechanisms.

Supported Cryptographic Offload & Acceleration Modes

Figure 2 – Co-Processor Crypto Mode

Cryptographic functions can be enabled in different mechanisms and support different protocols. At a high level, traditional Co-processor mode is known for processing data-at-rest encryption/decryption and data-deduplication fingerprint computation, while Inline Crypto mode has the capabilities to authenticate and process encrypted packets for the application at the port level and encrypt outgoing packets when requested by the application. Chelsio adapters support both modes and solution is programmable enough in nature to make the desired modifications for optimization.

Traditional Co-processor Mode

This mode of operation is supported for TLS/SSL, SMB 3.X and IPsec protocols, for functionalities like data at rest encryption, decryption, authentication and data de-dupe fingerprint generation.

In the Co-processor mode of operation, either cleartext is sent to the adapter over the PCIe bus for encryption and authentication, or encrypted and authenticated cipher text is sent to the T6 for decryption and authentication.

Key negotiation is performed by software on the host computer.

The T6 crypto Co-processor mode of operation can be combined with other offload capabilities.

Inline Mode

Figure 3 – Inline Crypto Mode

Chelsio Inline crypto solution supports TCP/IP and TLS/SSL AES/SHA processing in cut-through fashion to achieve optimal bandwidth and latency. Offloaded connection is used to transmit and receive data. Handshake is executed in host while data is encrypted and decrypted by crypto engine offloaded to hardware.

T6 adapters offload the TLS PDU crypto, while handshake is still performed by the host.

Key Negotiation/Exchange

Chelsio cryptographic solution supports popular protocols like IKE (key negotiation), RSA, Diffie-Hellman, Elliptic Curver Cryptography (ECC), etc., provides encryption capabilities built into application with TLS/SSL and DTLS mechanisms. Chelsio adapters offload the TLS/SSL PDU crypto, while handshake and key exchange are still performed by the host.

Key Negotiation Rate Use cases

Web server with high transaction rates from many different users requires support for high negotiation rate, e.g., distributed software or dedicated hardware.

Media streaming requires a low rate, typically negotiate session keys and then watch, e.g., Netflix show or movie for 30min-2hours using the same session key.

Supported Operating Systems

Currently Chelsio’s Crypto Offload drivers for Co-processor and Inline modes are available for Linux, supporting following kernel versions:

Kernel.org linux-4.9

Kernel.org linux-4.8

Linux drivers support both user-space as well as kernel-space module interfaces. The user-space applications can leverage the af_alg interface to use Chelsio crypto offload feature, while the kernel-space modules are supported directly using Linux’s crypto framework to access the Chelsio crypto offload features.

Reference Use Cases

Inline Encryption for Media Streaming – CDN Secure Cloud

Content delivery networks (CDNs) are globally distributed network of Point of Presence (POP) or proxy servers deployed in multiple datacenters. The goal of these large, broad-distribution of CDNs is to serve content, including on-demand/live streaming media, web servers providing downloadable media files to end-users over HTTP with high availability and high performance.

Figure 5 – Inline Crypto Use Case

In the above figure (Chelsio Crypto Enabled Video Streaming Capabilities), a CDN server (1) delivers 20K 5Mpbs streams of content (video, movie, IPTV, etc.) using a single T6 adapter. It offloads 20K TLS/SSL connections (3) and each of these connections is traffic-managed by the integrated traffic manager (2) to proceed at 5Mbps rate with low jitter.

This combined with other capabilities like TCP/UDP Segmentation Offload, Pacing, TCP Traffic Management and Traffic classification/filtering provides much needed acceleration for the on-demand/live streaming media edge servers. The inbuilt T6 traffic manager is capable of supporting up to 16 traffic classes concurrently. For example, there can be a 25Mbps group in addition to the 5Mbps group.

Data-at-Rest encryption/decryption

The T6 Data at-rest encryption/decryption uses the T6 crypto Co-processor mode of operation, as shown in the following diagram. The cleartext to be encrypted, e.g., with AES-XTS algorithm, is sent to the T6 crypto engine and the ciphertext is returned. The decryption proceeds by sending the ciphertext, and the cleartext is returned. If encrypted data arrives on inbound T6 port, it is decrypted and/or authenticated and delivered to storage server stack:

Data is sent and returned via DMA from T6 Co-processor; (multiple copies of) re-encrypted data is written to SAS/FC/NVMe/NVMf

The reverse flow is also enabled by T6 using a combination of Co-processor and Inline modes.

Data de-duplication fingerprint

The T6 crypto Co-processor can also be used for de-duplication fingerprint generation. For example, when offloaded iSCSI or NVMe-oF data is received, a fingerprint of the data is computed by injecting the data into the T6 crypto Co-processor and generating a SHA hash for the storage blocks, spreadsheets or PDF documents contained in the received data. The computed fingerprint can then be used to identify opportunities for de-duplication in the storing of the data.

Security threats for web server clusters (normally located at the edge of the networks), cloud connected IoT devices (security camera, printers, medical devices) and autonomous vehicles are growing at a very fast pace. Chelsio’s 1/10/25/40/50/100GbE cryptographic offload and acceleration solution has integrated capabilities to enable point-to-point encryption (P2PE) network to secure both ends of the network.

Figure 7 – Inline Crypto for IoT Devices, and Web Servers Use Case

As shown in the diagram above, IoT devices connected to an Edge server can be configured either to have an encrypted overlay network tunnel or provide an encrypted Direct Data Path access over the browser. Enabling security at the host level and capabilities to manage the network traffic at per flow basis provides a stringent security solution for today’s datacenter networks.